Hacker News new | comments | show | ask | jobs | submit login
Mysterious Mac Malware Has Infected Victims for Years (vice.com)
235 points by kawera 208 days ago | hide | past | web | favorite | 135 comments



>the widespread belief that they are virus-free, Macs aren't immune from invasive and dangerous malware.

This is an area where it's really hard to extrapolate from my personal experience to the entire population, but is this really an accurate statement of many people's beliefs?

I think what people actually think is that the chances are much lower of encountering malware in the wild on a Mac. In support of that, having an article this long on a single piece of malware that isn't particularly damaging, would indicate that it's not the normal state of affairs in Mac land.

I would similarly expect that the chances of drive-by malware on Linux are tiny, perhaps even less common than on a Mac, and thus it would be newsworthy if there were some widespread (in relative terms) Gnome malware, or similar.

It's one thing to think that it's uncommon, and another to think that it's impossible.


People think Macs are virus-free because Apple spent years telling them were. Example ad, with John Hodgman as the Windows guy with a virus. https://www.youtube.com/watch?v=M3Z386vXrt4


This notion existed far before that ad came out.

It's a combination of a few things: (1) why bother investing time and resources for a platform with around 10% of users and (2) OSX has had strong security mechanisms e.g Gatekeeper, XProtect, App Sandbox. Windows 10 is much better but unfortunately not everyone is on that OS yet.


> Windows 10 is much better but unfortunately not everyone is on that OS yet.

Implying Windows 8.1 has security problems... what are they?


Every OS has security problems, and every new OS incorporates fixes to them. If you're looking for specifics, a quick Google search can help there: http://www.csoonline.com/article/3044089/data-protection/the...


Some of these: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=windows+8.1 though I'll grant most of the ones on the front page at least are basically just "everything from 7 on".


What makes it even worse is they carried this over into a support FAQ stating the OS didn't come with an antivirus because X-security features.

If anyone remembers the vintage of this I'd love to dig an archived copy up.


Depending on whom you ask, having an antivirus may actually be more harmful than not, as it digs deep into the system potentially opening more holes, while not providing much protection due to the reliance on signatures. Heuristics is not yet there to be useful.


Another reason that there may be a perception that OSX is safer these days is that most users only buy software directly from Apple through the app store.


I would say it is accurate. I doubt most users really think it through, and Apple went out of their way to enforce the idea that Macs don't get viruses in their advertising campaigns around 2010 to 2012.

Most users just don't think about it much, and the only exposure they got was ads telling them the thing doesn't get viruses, which Apple finally stopped doing in 2012 after have a very uncomfortable year... https://www.wired.com/2012/06/mac_viruses/

If you're here talking on HN, then yes, you probably fall into the category of folks who properly understand that uncommon != impossible. I sincerely doubt the vast majority of users make that jump.


From that article:

>It may have been technically accurate that Macs don’t get gummed up with PC viruses, but the implication that Apple is virus-free is certainly misleading.

But that "implication" is an assumed implication that I haven't seen play out in my non-tech friends. I always thought that stories like those were just drummed up by anti-virus vendors to make sure that people continue buying their wares.


> I always thought that stories like those were just drummed up by anti-virus vendors to make sure that people continue buying their wares.

Look at this article and every article about Mac viruses.

Always an anti-virus vendor.


Just because the people alerting you to something have a vested interest in you being alerted, that doesn't make them wrong. It's good to know the incentives behind actions, but that doesn't mean we shouldn't look at the facts in each case and come to an informed decision.


>I think what people actually think is that the chances are much lower of encountering malware in the wild on a Mac.

Yes -- and what people believe is also true. It's indeed much lower, to the point of being a non-issue almost.

(And it's not due to "lower market share" either. Mac OS 7/8 etc had even lower market share than today's Macs have, and it had tons of viruses).


> Mac OS 7/8 etc had even lower market share than today's Macs have, and it had tons of viruses

That's not a valid comparison. When Mac OS 7/8 was mainstream, it was common to get software via a floppy disk that had already been in 10 other machines or from a fly-by-night BBS. Nowadays software distribution is far less peer-to-peer, and it's much more difficult for simple viruses to move from machine to machine.

> market share

If it's not market share, then what is it? The vast majority of malware attacks happen via social engineering, not zero day vulnerabilities, and the only requirements for that are a gullible user and a computer capable of running unsigned software.

Edit: Since I don't have access to a disposable Mac, just out of curiosity, what happens if you torrent something like "photoshop for mac full edition (cracked)" and try to install it? On a PC, assuming you make it through the hurricane of warnings Windows tries to throw in your way, this will almost certainly result in malware getting installed on your computer. What mechanism prevents this on a Mac?


>That's not a valid comparison. When Mac OS 7/8 was mainstream, it was common to get software via a floppy disk that had already been in 10 other machines or from a fly-by-night BBS. Nowadays software distribution is far less peer-to-peer, and it's much more difficult for simple viruses to move from machine to machine.

That doesn't make sense. The software that back in the day would be in a disk that had "already been in 10 other machines", can now come from a website that serves millions of machines with the same malware infected programs.


> That's not a valid comparison.

> simple viruses

Read these words again. Regardless of whether there were tons of viruses on MacOS back in 1997, there's no way it's valid to hold up your thumb, squint, and say the current situation is better or worse. The malware on MacOS 8 was almost exclusively viruses made by hobbyists which self-propagated through channels that no longer exist. There were no command and control servers, strong encryption, muti-stage deployments over the web, etc. Modern malware is organized crime that relies primarily on people scamming other people, and requires a ton of back-end infrastructure and support.

In other words, it's harder and success depends on a whole different set of factors.

The person I was replying to was basically asserting that Apple fixed the virus problem that existed before OSX, and as a result malware cartels in 2017 aren't able to attack OSX. Would you believe it if they were saying polio vaccination campaigns in the 50's put a dent in drive-by shootings in the 90's?


Over the history of Malware I suspect the largest vector was simply machines connected to the internet. Going back to the OS 7/8 days is kind of irrelevant because worldwide computer adoption was so low. So, for the average person what they are going to remember is the unpatched exploits / zero day attacks simply because they affected vastly more people.


Your Mac should be "OK" as long as you don't log in as an admin account when the dodgy app asks.


My experience with tech illiterate people is that they think they can't get viruses on Mac or iOS. Viruses are a Windows-only thing in their minds.


You can't get viruses on iOS unless you're jailbroken - Apple's walled garden pretty much guarantees that. Even jailbreaking is insanely difficult with the newest versions of iOS. There is no public jailbreak of the current version of iOS, or the version before that.


> You can't get viruses on iOS unless you're jailbroken - Apple's walled garden pretty much guarantees that.

No. Apple can't guarantee their software is secure, so their walled garden doesn't guarantee anything like what you say.


For all practical purposes its true. There has never been a major malware outbreak on iOS, and iOS has never been more secure than it is now.

A while back Apple started pulling anti-virus apps from the app store presumably because they aren't needed: https://9to5mac.com/2015/03/19/apple-app-store-antivirus/. For contrast here is Microsoft's official article on protecting your PC from viruses: https://support.microsoft.com/en-us/help/17228/windows-prote...

In addition, about 80% of iPhones in use are running the latest version of iOS. Apple can patch exploits and have the majority of iPhones secured in a short amount of time. iOS is unique in that respect, and that is just one mitigating factor that makes iOS malware very implausible.


That's just marketing hype mixed with a little bit of goalpost moving. "Has never been more secure than it is now" != secure.

> A while back Apple started pulling anti-virus apps from the app store presumably because they aren't needed.

I think you presume too much. An effective antivirus program cannot run in a sandbox that isolates it from other processes. If Apple pulled 3rd party antivirus apps, I bet it was because they could not both work as advertised and simultaneously obey the sandbox, not because they "aren't needed" (presumably because the platform is "secure").

As for your original statement:

>> You can't get viruses on iOS unless you're jailbroken - Apple's walled garden pretty much guarantees that.

Here's a counterexample: https://www.kaspersky.com/blog/pegasus-spyware/14604/


Pegasus was used by governments to target specific individuals. If you're being targeted by governments I would agree you're out of luck even on iOS.


So, in other words, iOS is insecure and vulnerable to malware.

Governments don't have special hacking powers, they mainly have money and manpower.

It's true, iOS might raise the bar a little bit compared to some other systems, but IMHO it's misleading and dangerous to claim that it's invulnerable.


The point is you're not going to get malware if you open the wrong email or go to the wrong site like you could on Windows. The organizations with enough resources to hack iOS devices aren't interested in sending mass emails to steal bank account details. The average iOS user who keeps their device up to date simply doesn't have to worry about malware and suggesting otherwise is misleading.


> The organizations with enough resources to hack iOS devices aren't interested in sending mass emails to steal bank account details. The average iOS user who keeps their device up to date simply doesn't have to worry about malware and suggesting otherwise is misleading.

Again, no. Here's another counterexample (which is recent and appears to have been active on the App Store for ~1yr):

https://researchcenter.paloaltonetworks.com/2016/03/acedecei...

"These malicious iOS apps provide a connection to a third party app store controlled by the author for user to download iOS apps or games. It encourages users to input their Apple IDs and passwords for more features, and provided these credentials will be uploaded to AceDeceiver’s C2 server after being encrypted."

That's not state actor stuff.

However, I shouldn't have to keep providing counterexamples to convince you of your absurd claims of practical invulnerability. Apple has not made any kind of security quantum leap: no one has. Apple's systems are vulnerable to the same types of flaws, by the same types of attackers, as any other system in wide use. The main difference is that Apple has restricted their platform to the extent they have an easier time implementing security best practices. iOS is still vulnerable to flaws Apple doesn't know about or hasn't patched, and those flaws can be exploited for as long as Apple remains unaware or fails to act. That's not fundamentally different position from Microsoft, Google, or any other similar company.


What you linked is basically an elaborate phishing scheme. The exploit allows the installation of non app store apps, but that doesn't mean the installed apps can escape the sandbox. The worst thing it can do is try to trick the user into entering passwords into the app's fields. As far as malware goes it's pretty benign.

There have been a handful of cases of iOS malware over the years, but no serious exploit has been widespread. For an exhaustive list see here: https://www.theiphonewiki.com/wiki/Malware_for_iOS

The most wide spread malicious apps are generally apps that access private apis but manage to get through Apple's review process and onto the App Store. They can be far reaching but again they can't breach the sandbox which means the absolute worst thing they do is upload your email address to some server or try to trick you into giving away your password. I still stand by my assertion that the average user doesn't need to worry about malware on iOS.


> They can be far reaching but again they can't breach the sandbox

False, they can breach the sandbox. The sandbox is software and it has exploitable flaws until proven otherwise (which hasn't happened).

Look, like I said in another comment: you'd be fine if you restricted yourself to relative comparisons, but for some reason you have to go too far and make absolute statements of security, statements which can't possibly be true. iOS might be more secure than other OSes, but it's still insecure, and it's dangerous and misleading to say that any users don't need to exercise reasonable caution.


While that was an interesting article I didn't see it making any claims of having bypassed the sandbox, but "just" the DRM to allow install of pirated apps. The heavy sandboxing of every app on iOS is fundamentally different from any desktop OS. Sandboxing of desktop apps is still very far from a complete implementation.


> The point is you're not going to get malware if you open the wrong email or go to the wrong site like you could on Windows.

So the point is that you aren't going to get malware on your small, entirely contrained and locked down portable computing device like you are on your larger, general purpose open computing device? Why even bother making that comparison?

OS X has plenty of vulnerabilities.[1] If you want to make a coherent argument, source your claims that modern windows only requires you visit a site or open an email, and we can look to see if Apple has had similar vulnerabilities in equivalent products.

1: https://www.cvedetails.com/vulnerability-list/vendor_id-49/p...


I agree with your statement here but it should be noted that a lot of cyber security is the joke about running away from a bear. I don't have to outrun the bear, I just have to out run you.


Exactly. I wouldn't have a problem if people were saying "iOS is more secure than X" or "You should pick iOS because it's one of the most secure OSes, but you should still be careful." But nooo, the fanboys go too far and spew dangerous, misleading stuff like "it is secure" and "you don't have to be careful" and "it can't get malware."


> If you're being targeted by governments I would agree you're out of luck even on iOS.

Probably true on almost every OS.


There is plenty of iOS malware, its just burred behind a "free" app which appears to be a simplistic game or whatever..


Citation? AFAIK the iOS sandbox has not been broken on un-jailbroken iOS devices, so at worst you're getting a garbage app that doesn't do what it promises.

I've never seen nor heard of any actual malware outbreak from a non-jailbroken app.


Maybe I should have put malware in quotes. I was generally referring more to the privacy invading, battery sucking, ad displaying, etc behaviors of the vast majority of applications. Which per wikipedia (and traditional usage of the term) makes them malware.

Apple/etc seem to be suck in the mindset of the various antivirus products before the advent of adaware/etc. So the products aren't strictly virus/trojans/worms/etc but they definitely fit the definition of malware and the end results are potentially just as bad. I would actually prefer any number of virus's over the some of the shenanigans the facebook app has been accused of.


I know next to nothing about iOS, so: Why can't the (usually public) jailbrake-exploit or another, similar potent (and probably quite expensive) be launched from inside the app? Sure, it has to be hidden to get into the store, but that looks very easy compared to finding the actually jail break. One just has to hide a arbitrary code execution vuln in the code of the app somewhere.

So, every apps seems to be an attack sureface.


If there was a jailbreak available, yes. But there hasn't been a publicly available untethered jailbreak since March of 2016, and there has never been an untethered jailbreak of iOS 10.

The only jailbreak for iOS 10 was semi-teathered and only made public after Apple had patched the vulnerabilities. In order for this to work as malware the user would have to open the malicious app every time their phone restarts. Not only that, every time the they open the app their phone would appear to be out of storage and then promptly crash to the boot screen. It would be a bit of a hard sell.


'Pretty much' guarantees.

I switched to Macs back in 2007. I work in IT, have always been careful to install anti virus software on Windows machines and showed my family how to avoid click bait and dangerous downloads. Even so I frequently used to have to clean malware off my old Windows machines. We do have one windows laptop on Windows 7 which is lightly used and most recently it got infected with a Firefox toolbar extension thing a few years ago that took a week to get rid of completely.

I have never once since 2007 had to deal with a single piece of malware on any of our Macs. I know it exists, Handbrake downloads got infected a while back, but the difference is night and day. In my experience Mac OS is dramatically safer than even a fully up to date Windows machine with top tier virus protection software installed.

Maybe that's changed with recent versions of Windows. Cool. Actually the only thing that drives me potty about Macs is the keychain getting corrupted, drives me potty.


While there is of course no guarantee, most of the shitstained-OS-installations that were (or still are?) so common, with symptoms like non-functional systems, ads popping up, or having 90 toolbars are due to user actions. Sure, there are methods to deliver and elevate malware, but most of the 'problems' people experienced (before widespread banking malware) were practically "cosmetic" and "slowness" and almost always due to users randomly downloading and executing anything in their path.

With iOS, that pattern is a lot harder to abuse, and with enforced sandboxing, side-effects between programs (or, 'apps') are somewhat non-existent.

Most of the things that make non-Windows systems less infected seem to either be due to a better security design, less casual users or a drastically lower market share making it a smaller target with possible less effective organic spreading of malware. (or possibly a combination of the three)


You missed the hedge phrase—"pretty much". Obviously there isn't such a thing as a guarantee for security, but there are counterexamples for most OSs. Do you have one for the current iOS version? I haven't seen someone jailbreak their phone since iOS 5, I think, though people did do it since then.

What's the point of your critique when you can apply it to literally any piece of software? Even SEL4 relies on a correct processor, and yours has flaws.


With all the security hetze and Apple pushing iOS as mainstream OS, I still do not get why this security depends on software and not hardware. Make it impossible for apps to break out of its jail at a hardware level.


Nobody can guarantee their software is secure (secure software doesn't exist), but the cash value of a sandbox escape/jailbreak of iOS on the black market (or probably even through Apple's bug bounty) far exceeds the value that would be generated from some adware or cryptolocker scam all but guarantees that you won't see any widespread malware.


> cash value of a sandbox escape/jailbreak of iOS on the black market...guarantees that you won't see any widespread malware

Why would the black market pay huge sums for a sandbox escape or jailbreak -- unless it's for malware?

If the answer is "for use by intelligence agencies", well that's malware by any reasonable definition.


The same exploits that are used to jailbreak the device can be used for installing malware. There has been remotely exploitable bugs in iOS, for example in WebKit, but luckily there hasn't been people exploiting them. iOS is very safe but not perfect.


I would guess many 20-somethings have recommended a mac to their parents with this as one of the bullet points. At a time, it was more or less true - when dropping a virus on your windows PC was as easy as loading a malicious activex website, macs just didn't even have it. Not to say macs weren't vulnerable, but the attack surface was lower and the cost/benefit to people trying to bot-net your mom's Mac was higher than everyone's unpatched Compaq running Win98.


I'm a 50-something and my Mom with her Mac manages to get infected with browser-based malware. And she's pretty careful. But sometimes those "update" notifications look real to her.


I used to have to clear out malware remotely from one of my grandmother's computers about twice a year, for several years.. I was so happy when it finally died, bought her a chromebook, which she was very happy with.

Chromebooks are probably the single best option for a computer with a keyboard. I wish the chrometops were a bit more compelling, as I'd probably switch my other grandmother (ubuntu 16.04) over. She has one program she plays a lot (since 1996) which runs under WINE.


I take it she isn't on a recent OSX version ?

Because those apps shouldn't be able to be opened unless the author has code signed them.

In which case if they are malware then just report it to Apple and they can centrally block the app.


Yes she is on the most recent OSX version.


The flip side of that is supposedly tech literate IT managers who insist that my company implement "industry standard" virus detection software on a fleet of MacBook Pros. The stupid cuts both ways.


It's been a few years, but the "I'm a Mac and I'm a PC" ad series talked up virus immunity quite a bit. I suppose one could argue that "don't get malware" was narrowly accurate in the sense that it wasn't presently happening, but there was a strong suggestion of "can't get malware" too.


It was presently, and it's easy much happening now either. All these "viruses", or 99% of them, are just trojans.


That doesn't really matter, as to the layperson virus often is a general catch-all term for malware.


Well, to the person that knows better it means you can have a clean Mac by following basic download hygiene -- which is not possible in platforms with widespread viruses targetting vulnerabilities they can exploit automatically and which you can't protect from (except if you don't connect to the internet at all).


Right. The Mac Zealots will say "These aren't viruses! They're unwanted programs purposefully installed by the user who thought he was updating Acrobat." But it's like a 2nd amendment advocate trying to win an argument by pointing out that word "Assault Rifle" is meaningless. It may be true, but it's not a way to argue.


I'm pretty sure "assault rifle" [0] is a reasonably well-defined term and you mean "assault weapon" [1] in your post.

Pointing out that "assault weapon" is meaningless is trying to combat emotive, irrational legislation based on conflating "assault weapon" with "assault rifle" because most people don't understand the difference (and one of the terms was chosen to be intentionally confusing).

[0] https://en.wikipedia.org/wiki/Assault_rifle

[1] https://en.wikipedia.org/wiki/Assault_weapon


You completely misunderstand my point. I'm a card-carrying NRA member, but I wince when I hear someone notice that a anti-2nd-amendment zealot mixes up terms like "magazine" and "cartridge" and thinks "Aha! I've won this argument because you don't know what these basic terms mean." It really doesn't help convince people on the other side to consider another point of view.

In fact, your zealous answer proves my point.

Now back to viruses and PUPs.


I think you misunderstood mine: it's unlike the case of "virus" in the sense that it acquired a general meaning and then was retrofitted with a technical one to co-opt feelings for political goals.

It would be like if people had used "virus" as a generic without it ever having a technical definition (by analogy to infections), then Congress proposed to ban encryption to stop "viruses", because hey, lots of viruses use encryption.

Pointing out that co-opting from the informal "infectious software" to "software that uses encryption" is a meaningful point.

I think you're correct that the usage of virus for unwanted software is fine; I think you're wrong about the evolution of language there matching what happened with "assault weapon". Specifically, one change is going from the technical to the generic, while the other is going from the generic to technical.


Aren't most "viruses" for Windows also just people opening attachments or installing porn site video codecs they shouldn't be?


Most maybe, but not by any means all. And there are tons of auto-installing viruses for windows.


I suspect if you went into 100 Apple stores, and asked 100 of the bubbly sales persons with their cute little Apple shirts if Macs can get viruses, you'd get 50%+ to say no.


Don't Apple stores sell Norton Antivirus? If they do I imagine the response would be far less than 50%, but it'd come with a sales pitch.


>but is this really an accurate statement of many people's beliefs?

yes. Those on hacker news may understand its not true but non-techies say it all the time ever since apple ran those I'm a pc tv spots


Well, what is true is that it's extremely hard to execute arbitrary code without user knowledge on a Mac. Windows has thousands upon thousands of arbitrary code execution bugs where simply opening something like a pdf can allow an attacker to run arbitrary code as a privileged user. There are many defense mechanisms to this that are inherent to the design and implementation of Darwin/Mac OS.


I don't think that's been true since windows 7. Almost all new viruses rely on user stupidity.


> There are many defense mechanisms to this that are inherent to the design and implementation of Darwin/Mac OS.

Do you have an example? Beyond the idea of user/root separation, which doesn't really do much for modern single user computers: https://xkcd.com/1200/


Kinda unfair to not let me use the biggest example (DAC/user separation) just because there might be sensitive data with user permissions when we're talking about arbitrary code execution. Even still, such a concept makes privilege execution orders of magnitude harder on * nix systems.

POSIX philosophy also prevents the "keys to the kingdom" kind of exploits you can get in windows, many linux exploits are much harder to chain together simply due to this.

The * nix networking stack has always been much more mature and robust than the windows stack, although I'll admit that's not necessarily inherent to the design.


Virus were invented on UNIX.


Sandboxing. All third party apps in the Mac app store, and many system apps. Safari, Mail, Messages, FaceTime, Calendar, Contacts, Photos, Notes, and Reminders are all sandboxed.

I also really like how Gatekeeper ( https://en.wikipedia.org/wiki/Gatekeeper_(macOS) ) works – it quarantines documents such as word files, so that on first open you get a dialog pointing out that it's been downloaded. This is great, because you see the dialog very infrequently. I actually pay attention to it when it comes up.


Windows also does sandboxing.


> many people's beliefs?

Apple marketed it as such even until relatively recently. I've personally heard a few people regurgitate that argument.

It's probably changing because that marketing worked and the platform became more popular: you don't write malware for a platform that nobody uses.


The operative form of this belief is, "you probably shouldn't buy and install a consumer antivirus product for your Mac like you would with a PC" which is probably still true.


I think it is a holdover from the early Mac days, where a large part of the base OS was in ROM.

Thus a simple reboot would clear out any infection.

That, and over time the lack of a general market presence, is likely what lead to the belief (never mind that Apple pushed the message with their I'm a Mac ads).


The early mac days when there was no hard-disk, maybe. But if you inserted another floppy when the virus was in-memory, it would spread!


It doesn't matter, tech journos are in love with the narrative of "Mac users think they're better than the rest of us, but they're not!"


The details for the infection can be found at Malwarebytes, the discoverer of this issue:

https://blog.malwarebytes.com/threat-analysis/2017/01/new-ma...

This article has the signature of the infection as well as listing the servers with which it communicates.


Someone correct me if I'm wrong but this seems to be talking about FruitFly 1 [1] and the article is about FruitFly 2 [2]. Been digging around and still can't find any description of how to tell if you're infected by the new one.

[1] https://www.virustotal.com/en/file/ce07d208a2d89b4e0134f5282...

[2] https://www.virustotal.com/en/file/befa9bfe488244c64db096522...


So, let me get this straight. If I develope malware in an "archaic" language, using "crude code" then I am not a nation-state. "Undetected for years"

Interesting logic. I wonder if the reverse can be said...

If I were a nation state, perhaps I would be taking notes.


> ...despite the widespread belief that they are virus-free, Macs aren't immune from invasive and dangerous malware.

I keep hearing this, but I never see evidence of these people. Is there a widespread belief that there's a widespread belief that Macs are immune from malware, despite few people who actually think this?

Well, I'm sure such people exist, but there don't seem to be many, even on sites like macrumors and /r/apple where mostly non-technical people with magical feelings for Apple gather and comment.


I worked at a Geek Squad for two years, so definitely take my experience with a grain of salt, but at least in the world of big box retail chains, this was quoted so often by my customers and clients I lost count. Most of my clients that came in with an infection on their Mac (sometimes just a rogue browser extension, but often an honest bit of malware) were genuinely surprised, having purchased the Mac originally because it supposedly didn't have these "Windows" problems.

I suspect this is largely due in part to the types of clients that would actually purchase Geek Squad protection in the first place; my job duties had me working directly with "not computer people" folks most of the time. Still, the idea that Macs were immune to malware was pervasive; on several occasions, folks returned Windows machines they had just purchased (and managed to immediately infect) and picked up a Mac instead, thinking that this act alone would make them immune to their problems, or their kids online behavior, etc. Most folks were good sports about it though, realizing that they had been misled by advertising, and allowing me to explain good security habits to them during their visit.

I think the biggest thing that bothered me about the job, and the reason I eventually left for greener pastures (I presently work in Linux Administration) was the pervasive idea that you could fix computer problems by buying additional software. This is something retailers have latched on to, and it bugs me on a fundamental level. The only way to actually be more secure is to understand your tools, so that you can recognize when they are misbehaving.


> the biggest thing that bothered me about the job was the pervasive idea that you could fix computer problems by buying additional software

O my god yes. I worked in corporate IT and Management was sold on more complexity all. the. time.


I'd say macrumors and /r/apple are probably a better representation of the general public than other forms of contact you have with people. Realizing that viruses exist escapes some.

Apple even based a commercial on the premise a while back, https://www.youtube.com/watch?v=CHFy6egYcUg


By now Windows also has a much stronger security model. So I'd say that the chances of anything happening would theoretically be about equal in Linux, Windows and Mac. But you'd have to take popularity into account, and since the Mac has become more popular, I'd guess they are a victim more often.


As long as Windows still tries to hide file extensions, the rest of its security barely matters. And in what way would its security model be better than MacOS or Linux? I'd say they are about the same nowadays.


Anecdotally, most non-technical Mac users seem to have better habits than Windows users. Updates get installed and shady software gets loaded up less frequently.


Apple literally had that in their ads.


You need to remember that when those ads aired Windows still ran everything as root and had genuine "viruses", not trojans or other malware. But a virus as in the definition of the term. That Macs and Linux had a sane security model really did make them essentially "immune to viruses" in a very real way.

Today, a genuine virus is a rare thing, most malware are trojans. But back then viruses were the dominant form of malware. It's quite unfair to criticize people claiming Macs don't get "viruses" by changing the context on them to include all malware. That's not the claim people made.


Those ads still ran in 2015 on apple.com.

By that time the user restriction model of Vista had existed for 8 years.


Yes, but a decade or more ago. The security landscape and perceptions around it have changed.

Also, back then the difference between MacOS and Windows was pretty stark so this was a valid marketing point. Not that the ads didn't oversell it, of course.



Nothing on that site makes the claim that Apple software is immune from malware. They claim that it's "secure", but that's relative anyways. All of the real iOS malware I know of abuses either jailbroken devices or enterprise provisionings. The standard infection case of "ran something you shouldn't have" or drive by downloading is a lot harder to pull off there.



That's iOS vs. Windows and we were taking about macOS.

I think that marketing language is a bit BS-y, though.

Probably the general idea they are pushing, that iOS is less susceptible to malware than a laptop, is probably true, so it doesn't bother me much.


In the mid to late 2000s, this was something that was often repeated.


Missing from the article: how to tell if you have it and what to do if you do


See if you have a ~/.client or a ~/Library/LaunchAgents/com.client.client.plist file.


Thanks for the tip - I'm clean :-)


Yeah, I just stuck tape over my camera though.


Is this the same thing? https://blog.malwarebytes.com/threat-analysis/2017/01/new-ma...

It looks like this has been updated by Apple already?


Does anyone know of a good way to check whether my Mac is infected with this (or any other) malware programs? I rarely, if ever, download unknown programs, and my OS is always up-to-date, but still...

Would appreciate for any pointers.


Install MalwareBytes — https://www.malwarebytes.com/


Is this bad advice? Wondering why it's getting voted down. Malwarebytes discovered the issue after all; they're not disreputable.


If abakker's comment https://news.ycombinator.com/item?id=14840063 is the same issue, then it sounds like you just need to look for `~/.client` and `~/Library/LaunchAgents/com.client.client.plist`.


"It was also written in Perl, a language that's "archaic" for malware"

Perhaps why it's good at running under the radar.


I think the main reason it was running under the radar is that the script itself did not contain an exploit that bypassed any security mechanisms. The only difference between a remote desktop app and a new command and control malware is the way it is installed.

It is not all that surprising to me that any targeted malware could operate unnoticed for years. The odds of discovery are directly proportional to the volume of distribution and inversely proportional to the importance of the targets. This malware apparently infected a small number of low profile targets.


Sounds like a disgruntled sys admin.


It's not just perl; the screen capture code apparently references GWorlds, something I frankly have not seen since writing software in the 1990's for pre OS X APIs. It's so old that Googling for gworld hardly has any relevant results.

Most of the sample code for those APIs was deprecated by the mid 2000's

Unless the attacker had some unique reason for using that, which seems unlikely, that really does put the code at about 10 years old or so...


Given that most people here would be best off not-hacked, what are the best ways (software/security tricks) to avoid malware on OSX?


BlockBlock is genius for preventing installation of persistent components to the OS.

[1] https://objective-see.com/products/blockblock.html


I like the concept but I don't like the fact that BlockBlock needs to install a kernel extension. It says it does this to minter process creation. Why can't it do it with dtrace?

Example: https://github.com/kenorb/dtrace-tools#processes


They were surprised to find malware that wasn't written by a nation-state, which is kind of depressing.


I see no reason to believe it wasn't. Being brutally pedestrian is the kind of thing I would expect out of great hackers.


Also , it may make sense to write malware that looks like it wasn't a nation state if you are a nation state


Linux has a huge advantage in that it has a very wide array of variants, kernels, library configurations through many standard distros and further customizations. It makes it much harder to write distribute complex malware than a standardized OS like Windows.


As someone new to the Mac ecosystem, is it standard practice to run an antivirus as it is on Windows?

I have used various Linux systems as my daily web browsing machine for years without feeling the need to install any third-party antivirus.


>As someone new to the Mac ecosystem, is it standard practice to run an antivirus as it is on Windows?

No, almost nobody does it (plus, a few "antivirus" products for Mac are malware themselves, e.g. Mac Defender etc.).

Most so-called "viruses" for Mac are in fact merely trojans (programs you need to download and run yourself to infect you).


Corporate laptops everywhere I worked are subject to the same anti-virus policies, regardless of the operating system.


Well, corporate laptops where I work (company bought Macs usually) don't have mandatory (or even suggested) anti-viruses on them.


You probably shouldn't install any antivirus on Windows either. They're so full of holes that they probably increase the likelyhood that you get a virus.


No. It's unusual. The most common case is Macs in corporate environments where "local anti-virus" is required across all desktop systems (with such policies typically originating in Windows-centric companies).


I was a Windows user for 10 years. Now a Mac user for 11 years. Haven't needed any sort of antivirus yet. Just thinking back to my time with Windows makes me chuckle, when I had an arsenal of virus scanners, startup disablers, and registry cleaners on hand.


> the former spy agency hacker who now develops free security tools

Nice try, NSA.


Gonna need it from a source better than Vice.


The OP's author, Lorenzo Franceschi-Bicchierai, has always felt like a reliable reporter of this kind of topic, as far as mainstream reporters go: https://motherboard.vice.com/en_us/contributor/lorenzo-franc...



The Vice article seems much better, and I'm not sure Forbes is a more reliable news source, but the corroboration is of course great.

Sounds like we'll be hearing more after BlackHat. Wish I wasn't skipping this year.


Yeah the only other news sources I could find were zdnet and cnet.


I'd imagine they are all reporting from a common source or they read Vice.


Forbes, the site that served malware in their ads(you can't view their page with an adblocker on either).



> Taking control of a command and control server, however, had another unexpected outcome: Around 400 victims infected with FruitFly started connecting to it.

"Unexpected"? How? This would have been obvious to Wardle. Maybe the journalist added this to "inject some suspense"? Thanks but no thanks, I won't bother reading the rest of this article.


Maybe he wasn't expecting to see 400 infected victims.




Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: